Rust: CFG for match expressions

paldepind · paldepind · commit a935bded361b · 2024-09-16T17:16:37.000+02:00
diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/Completion.qll b/rust/ql/lib/codeql/rust/controlflow/internal/Completion.qll
@@ -6,6 +6,7 @@ private import SuccessorType
 private newtype TCompletion =
   TSimpleCompletion() or
   TBooleanCompletion(Boolean b) or
+  TMatchCompletion(Boolean isMatch) or
   TBreakCompletion() or
   TContinueCompletion() or
   TReturnCompletion()
@@ -53,6 +54,10 @@ abstract class ConditionalCompletion extends NormalCompletion {
   /** Gets the Boolean value of this conditional completion. */
   final boolean getValue() { result = value }
 
+  final predicate succeeded() { value = true }
+
+  final predicate failed() { value = false }
+
   /** Gets the dual completion. */
   abstract ConditionalCompletion getDual();
 }
@@ -71,6 +76,8 @@ class BooleanCompletion extends ConditionalCompletion, TBooleanCompletion {
       expr.getOp() = ["&&", "||"] and
       e = [expr.getLhs(), expr.getRhs()]
     )
+    or
+    any(MatchArm arm).getGuard() = e
   }
 
   /** Gets the dual Boolean completion. */
@@ -81,6 +88,22 @@ class BooleanCompletion extends ConditionalCompletion, TBooleanCompletion {
   override string toString() { result = "boolean(" + value + ")" }
 }
 
+/**
+ * A completion that represents the result of a pattern match.
+ */
+class MatchCompletion extends TMatchCompletion, ConditionalCompletion {
+  MatchCompletion() { this = TMatchCompletion(value) }
+
+  override predicate isValidForSpecific(AstNode e) { e = any(MatchArm arm).getPat() }
+
+  override MatchSuccessor getAMatchingSuccessorType() { result.getValue() = value }
+
+  /** Gets the dual match completion. */
+  override MatchCompletion getDual() { result = TMatchCompletion(value.booleanNot()) }
+
+  override string toString() { result = "match(" + value + ")" }
+}
+
 /**
  * A completion that represents a break.
  */
diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll b/rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll
@@ -94,13 +94,13 @@ class LogicalOrBinaryOpExprTree extends PreOrderTree instanceof BinaryExpr {
     // Edge from the last node in the lhs to the first node in the rhs
     last(super.getLhs(), pred, c) and
     first(super.getRhs(), succ) and
-    c.(BooleanCompletion).getValue() = false
+    c.(BooleanCompletion).failed()
   }
 
   override predicate last(AstNode node, Completion c) {
     // Lhs. as the last node
     last(super.getLhs(), node, c) and
-    c.(BooleanCompletion).getValue() = true
+    c.(BooleanCompletion).succeeded()
     or
     // Rhs. as the last node
     last(super.getRhs(), node, c) // and
@@ -124,13 +124,13 @@ class LogicalAndBinaryOpExprTree extends PreOrderTree instanceof BinaryExpr {
     // Edge from the last node in the lhs to the first node in the rhs
     last(super.getLhs(), pred, c) and
     first(super.getRhs(), succ) and
-    c.(BooleanCompletion).getValue() = true
+    c.(BooleanCompletion).succeeded()
   }
 
   override predicate last(AstNode node, Completion c) {
     // Lhs. as the last node
     last(super.getLhs(), node, c) and
-    c.(BooleanCompletion).getValue() = false
+    c.(BooleanCompletion).failed()
     or
     // Rhs. as the last node
     last(super.getRhs(), node, c)
@@ -205,11 +205,11 @@ class IfExprTree extends PostOrderTree instanceof IfExpr {
     // Edges from the condition to the branches
     last(super.getCondition(), pred, c) and
     (
-      first(super.getThen(), succ) and c.(BooleanCompletion).getValue() = true
+      first(super.getThen(), succ) and c.(BooleanCompletion).succeeded()
       or
-      first(super.getElse(), succ) and c.(BooleanCompletion).getValue() = false
+      first(super.getElse(), succ) and c.(BooleanCompletion).failed()
       or
-      not super.hasElse() and succ = this and c.(BooleanCompletion).getValue() = false
+      not super.hasElse() and succ = this and c.(BooleanCompletion).failed()
     )
     or
     // An edge from the then branch to the last node
@@ -272,6 +272,52 @@ class LoopExprTree extends PostOrderTree instanceof LoopExpr {
   }
 }
 
+class MatchArmTree extends ControlFlowTree instanceof MatchArm {
+  override predicate propagatesAbnormal(AstNode child) { child = super.getExpr() }
+
+  override predicate first(AstNode node) { node = super.getPat() }
+
+  override predicate succ(AstNode pred, AstNode succ, Completion c) {
+    // Edge from pattern to guard/arm if match succeeds.
+    pred = super.getPat() and
+    c.(MatchCompletion).succeeded() and
+    (if super.hasGuard() then first(super.getGuard(), succ) else first(super.getExpr(), succ))
+    or
+    // Edge from guard to arm if the guard succeeds.
+    last(super.getGuard(), pred, c) and
+    first(super.getExpr(), succ) and
+    c.(BooleanCompletion).succeeded()
+  }
+
+  override predicate last(AstNode node, Completion c) {
+    node = super.getPat() and c.(MatchCompletion).failed()
+    or
+    last(super.getGuard(), node, c) and c.(BooleanCompletion).failed()
+    or
+    last(super.getExpr(), node, c)
+  }
+}
+
+class MatchExprTree extends PostOrderTree instanceof MatchExpr {
+  override predicate propagatesAbnormal(AstNode child) { child = super.getABranch().getExpr() }
+
+  override predicate first(AstNode node) { first(super.getExpr(), node) }
+
+  override predicate succ(AstNode pred, AstNode succ, Completion c) {
+    // Edge from the scrutinee to the first arm.
+    last(super.getExpr(), pred, c) and succ = super.getBranch(0).getPat()
+    or
+    // Edge from a failed match/guard in one arm to the beginning of the next arm.
+    exists(int i |
+      last(super.getBranch(i), pred, c) and
+      first(super.getBranch(i + 1), succ) and
+      c.(ConditionalCompletion).failed()
+    )
+    or
+    exists(int i | last(super.getBranch(i), pred, c) and succ = this and completionIsSimple(c))
+  }
+}
+
 class MethodCallExprTree extends StandardPostOrderTree instanceof MethodCallExpr {
   override ControlFlowTree getChildNode(int i) {
     result = super.getReceiver() and
diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/SuccessorType.qll b/rust/ql/lib/codeql/rust/controlflow/internal/SuccessorType.qll
@@ -4,6 +4,7 @@ cached
 newtype TSuccessorType =
   TSuccessorSuccessor() or
   TBooleanSuccessor(Boolean b) or
+  TMatchSuccessor(Boolean b) or
   TBreakSuccessor() or
   TContinueSuccessor() or
   TReturnSuccessor()
@@ -30,13 +31,24 @@ abstract private class ConditionalSuccessor extends SuccessorTypeImpl {
 
   /** Gets the Boolean value of this successor. */
   final boolean getValue() { result = value }
-
-  override string toString() { result = this.getValue().toString() }
 }
 
 /** A boolean control flow successor for a boolean conditon. */
 final class BooleanSuccessor extends ConditionalSuccessor, TBooleanSuccessor {
   BooleanSuccessor() { this = TBooleanSuccessor(value) }
+
+  override string toString() { result = this.getValue().toString() }
+}
+
+/**
+ * A control flow successor of a pattern match.
+ */
+final class MatchSuccessor extends ConditionalSuccessor, TMatchSuccessor {
+  MatchSuccessor() { this = TMatchSuccessor(value) }
+
+  override string toString() {
+    if this.getValue() = true then result = "match" else result = "no-match"
+  }
 }
 
 /** A `break` control flow successor. */
